OpenLDAP schema to store OpenPGP keys?
dshaw at jabberwocky.com
Tue Feb 21 23:59:10 CET 2006
On Tue, Feb 21, 2006 at 11:35:02PM +0100, Walter Haidinger wrote:
> > > > A LDAP keyserver would be useful as a company keyserver where people
> > > > inside the company IP range or an administrator can add keys, and the
> > > > rest of the world can just read.
> > >
> > > That eliminates tcp-wrapping. You'd have to grant write access by
> > > using the peername statement in the access <who> field, right?
> > Yes. Something like peername.ip=192.168.1.0%255.255.255.0 to specify
> > the "inside the company" range for those who can write.
> I see, but I'd rather have IP based access control handled by
> either tcp-wrappers or firewall rules.
> Read/write access should be governed by user authentication, IMHO.
It's certainly finer-grained. With authentication, you can restrict
each user to their own key. However, then you give yourself a
password management headache :)
> > The problem here is remote authentication. Each user would need some
> > way to authenticate to the LDAP server to give them the delete
> > ability.
> Every user could get this own DN just for authentication, like
> > LDAP can do this, of course, and GPG doesn't care one way or
> > the other, but how would you handle password distribution for each
> > user?
> Why not give out initial passwords for DN's like above and let
> people change the userPassword attribute using either ldapmodify
> or a frontend? Then, each user would have to specify his login DN
> to access his keys.
That sounds like it would work fine. Most of the work is on the LDAP
configuration side, but it would be easy enough to add binddn and
bindpw to gpgkeys_ldap for the GPG piece. However, the problem is how
to handle the password on the GPG side. Prompt the user each time he
uses the keyserver? Inconvenient, plus GPG has no code for this
today. Stick it in a config file? Potentially dangerous. How
sensitive is this password? Is a mode 600 file secure for your usage?
More information about the Gnupg-users